General

Does the License: tag cover the SRPM or the binary RPM?

Answer needs fedora-legal review

It covers what is shipped in the binary RPM. Usually you'll find that packages have a single license so the SRPM and binary RPM are the same but in some cases there are multiple licenses in the source code. See #Multiple licensing situations for how to deal with these.

Freedom

What does it mean when a license is listed as "FSF Free"?

Does Fedora permit anything under "Non-Free" licensing?

When it comes to software or fonts, the answer is definitely no. We strongly prefer that items classified as content (see Code Vs Content) are under a Free license, but we only require that they be freely distributable without restrictions.

If the Library as you received it does not specify a version number of
the GNU Lesser General Public License, you may choose any version of the
GNU Lesser General Public License ever published by the Free Software
Foundation.

The order of operations goes like this:

What does the code say? If it specifies a version, that's what it is.

Does the code conflict with itself? (file1.c and file2.c are compiled together but have different licensing)

Are the conflicting licenses compatible?

Does one license overpower the other one? (GPL/LGPL does this) If so, the strictest license wins.

What does the documentation say? This signals the author(s) intentions from a legal perspective, although, not as binding as in the source. If the documentation specifies a version when the source does not, then we can use the documentation as our source. NOTE: COPYING does not count as documentation, since the author(s) didn't write it (unless they added text before or after the license text clarifying their intentions).

If neither the source, nor the upstream composed documentation says anything about the license version, then it could be under _ANY_ version of the GPL. The version listed in COPYING is irrelevant from this perspective. Technically it could be under any license, but if all we have to go by is COPYING, we'll use COPYING to imply that it is under the GPL, all versions (GPL+).

Now, keep in mind that most upstreams are probably leaving the versioning out by accident. If you get to case 4, you definitely want to
let upstream know that you are unable to determine the applicable licensing (and/or license versioning) from the source and documentation. They'll
almost certainly let you know what their intended license version is, and (hopefully) correct it in the upstream source.

BSD with advertising

What's the deal with the BSD with advertising license?

The original BSD license is commonly found in FOSS code, but it contains an "advertising clause" which makes it incompatible with the GPL (all versions).

July 22, 1999
To All Licensees, Distributors of Any Version of BSD:
As you know, certain of the Berkeley Software Distribution ("BSD") source
code files require that further distributions of products containing all or
portions of the software, acknowledge within their advertising materials
that such products contain software developed by UC Berkeley and its
contributors.
Specifically, the provision reads:
" * 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors."
Effective immediately, licensees and distributors are no longer required to
include the acknowledgement within advertising materials. Accordingly, the
foregoing paragraph of those BSD Unix files containing it is hereby deleted
in its entirety.
William Hoskins
Director, Office of Technology Licensing
University of California, Berkeley

So, this means any code which is under the old BSD with advertising license where the copyright holder is "Regents of the University of California" or "University of California, Berkeley" is effectively under the regular BSD license. You can use that code without the advertising clause, and you should also ask upstream to remove the advertising clause from their code. For purposes of spec labeling, use "BSD".

NOTE: This does NOT apply to any code where the copyright holder is not "Regents of the University of California" or "University of California, Berkeley". In that situation, the advertising clause is still in effect, and if it causes a compatibility issue, you will need to ask the copyright holder to drop the advertising clause.

Multiple licensing situations

How should I handle multiple licensing situations?

It depends on the situation. Here are some common cases:

The source code contains some .c files which are GPLv2+ and some other .c files which are BSD. They're compiled together to form an executable. Since some of the files are licensed as GPL, the resulting executable is also GPL. The License tag should read: License: GPLv2+ Note that you do NOT need to list BSD in the License tag, the License tag reflects the resulting, packaged, items in the binary RPM.

The source code contains some .c files which are GPLv2 and some other .c files which are GPLv2+. They're compiled together to form an executable. In this case, the stricter license wins, so the resulting executable is GPLv2. The License tag should read: License: GPLv2 Note that you do NOT need to list GPLv2 and GPLv2+ in the License tag.

A package has multiple binaries, some of them are GPLv2, some are GPLv3, and some are MIT licensed. In this case, you do need to list all of the individual licenses of the compiled binaries in the License tag, so it should read: License: GPLv2 and GPLv3 and MIT

The source code in my package is dual licensed, it says I can choose either the BSD or the GPLv2 license. In this case, you need to specify that there is a choice in the License tag, it should read: License: BSD or GPLv2

The source code in my package is dual licensed, but one of the licenses is a proprietary license (the other is GPLv2+). You do not need to list the proprietary license in the License tag, so it should read: License: GPLv2+

All of the source code in my package is licensed as BSD, but when compiled, it is linked to a separate GPLv2 library. Do I need to use "GPLv2" as the License tag for my package?

No. You should only be considering the utilized source code in your package when determining your License tag.

What about interpreted languages (perl, python, etc)? If I have a package written in an interpreted language, and it pulls in code (of the same language) from a different, independent package at runtime, should I take its license into account when tagging my package?

No. You should only be considering the utilized source code in your package when determining your License tag.

What about the RSA license on their MD5 implementation? Isn't that GPL-incompatible?

Implementations of these message-digest algorithms, including
implementations derived from the reference C code in RFC-1319, RFC-1320,
and RFC-1321, may be made, used, and sold without license from RSA for
any purpose.

This means that the RFC1321 reference implementation can be used without
the license, and it effectively becomes Copyright only.

Accordingly, Fedora deals with this issue by implementing
a policy that whenever we come across C code that implements RFC-1319,
RFC-1320, and RFC-1321 (MD2, MD4, MD5) under the troublesome BSD with
advertising clause, we will be using it without license from RSA.

In English, it means that we don't need to worry about resolving these
conflicts, but we should advise upstream of the situation, and recommend
that they "use" this code without RSA's license as well, and reflect
that usage in the source code by removing RSA's license (but not RSA's
copyright).